samAccountName#

The samAccountName is defined in MSDN.

LDAP Attribute Definition#

The SamAccountName AttributeTypes is defined as:

• OID of 1.2.840.113556.1.4.221
• NAME: SamAccountName
• DESC: User logon name (pre-Windows 2000)
• EQUALITY:
• ORDERING:
• SYNTAX: 1.3.6.1.4.1.1466.115.121.1.15
• SINGLE-VALUE
• Used as MUST in:
  • securityPrincipal
• Used MAY in:

Interesting Aspects#

• SamAccountName attribute is a SINGLE-VALUE attribute that is the logon name used to support clients and servers from a previous version of Windows.
• SamAccountName MUST be less than 20 characters - with clients and servers running earlier versions of the Operating System, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager
• The schema reports the size for {$pagename}] as a upper-range of 256.
• "pre-Windows 2000 logon name" is the label in MMC Account Tab
• SamAccountName value must be a Unique Identifier among all security principal objects within a AD DOMAIN.[7]
• SamAccountName is a Ambiguous Name Resolution value

Required?#

As far as we know, although the schema and MSDN states it is "required", Windows Server 2003 and later will create SamAccountName for you if you don't specify it, but it is real ugly like: $9J2000-F2RTQRTA7C5F. Windows Server 2000 Microsoft Active Directory does not create SamAccountName, you must specify a value.

Restricted Values#

There some value restrictions in regards to the characters but we can not find any "official" documentation to what the restrictions are.

When you apply a bad value SamAccountName in Windows Server 2003, you will receive an error:

Error while executing LDIF
 - [LDAP: error code 80 - 00000523: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data
  javax.naming.NamingException: [LDAP: error code 80 - 00000523: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data 0

We found a reference showing the following characters invalid in SamAccountName's: (Windows Server 2003)

" [ ] : ; | = + * ? < > / \ ,

These appears to work:

! @ # $ % ^ & ~ `

We have seen it written[1] that the following are valid:

• unicode characters, but accented characters generate collisions. So you can provision jmüller today and if tomorrow you try to provision jmuller, you will get a collision. So better normalize your SamAccountNames.
• The SamAccountName cannot end with . (period).
• Blanks (space) are allowed.

RegEx For Verification[2]#

We have used this and it appears to work:

^(?:(?:[^. \"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,][^\"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,]{0,62}[^. \"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,])|[^.\"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,])$

This translates to:

• Not Starting with a period (.) or a space ( ). - This, by design, excludes strings consisting solely of all periods (.) or spaces ( ).
• Between 1 and 64 characters (inclusive) long.
• Not including any of these characters: " [ ] : ; | = + * ? < > / \ ,
• Not ending in a period (.).
• I realize the page says 63 characters, but my testing shows 64 to be valid (Windows Server 2008) yet schema page [1] says 256!!! Adding or Modifying SamAccountName

Adding or modifying a user, from LDAP, with a samAccountName value that is the same value of an existing user entry will result in the following error:

Error while executing LDIF
 - [LDAP: error code 68 - 00000524: UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 
  javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00000524: UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 0

More Information#

There might be more information for this subject on one of the following:

• 1.2.840.113556.1.4.221
• ANR attribute set
• Active Directory Computer Related LDAP Query
• Ambiguous Name Resolution
• LDIF Generator
• MAD Naming Attributes
• MMC Account Tab
• MsDS-AdditionalSamAccountName
• Password Character Composition
• Password Flow From Active Directory to eDirectory
• SamAccountName
• SecurityPrincipal

---

• [#1] - http://blogs.technet.com/b/juanand/archive/2009/05/12/things-to-consider-when-provisioning-to-ad-adam.aspx 2012-08-31
• [#2] - http://blog.vertigion.com/post/18028230414/active-directory-validate-group-samaccountname - based on information retrieved 2013-08-19
• [#3] - You cannot add a user name or an object name that only differs by a character with a diacritic mark - based on information retrieved 2013-08-19
• [#4] - You must type a valid Username for the user. - based on information retrieved 2013-08-19
• [#5] - Object names - based on information retrieved 2013-08-19
• [#6] - Object names - based on information retrieved 2013-08-19
• [#7] - User Naming Attributes